This document summarizes a webinar about multi-factor authentication (MFA) versus two-factor authentication. It discusses how true MFA uses multiple authentication factors and considers the user's device context and risk level to determine the appropriate authentication method. Regulations like PSD2 are driving increased use of MFA. Engaging cross-functional teams from fraud, security, and user experience is important for implementing effective and user-friendly authentication.

1. WEBINAR
MFA VS. 2FA
JUST A NUMBERS GAME, OR REAL VALUE?
APRIL 2018
MICHAEL THELANDER / SR DIRECTOR PRODUCT MARKETING

2. 2
A PRIMER ON AUTHENTICATION FACTORS
Something you
KNOW

3. 3
A PRIMER ON AUTHENTICATION FACTORS
Something you
HAVE

4. 4
A PRIMER ON AUTHENTICATION FACTORS
Something you
ARE
Identity
verified

5. 5
A PRIMER ON MULTI-FACTOR AUTHENTICATION
Something you
ARE
Something you
HAVE
Something you
KNOW

6. 6
A PRIMER ON MULTI-FACTOR AUTHENTICATION
“A cord with three strands is not easily broken.”

7. AGENDA
7
WHAT’S NOT MFA?
WHAT’S TRUE MFA?
WHO ASKS FOR MFA?
WHAT NOW?

8. WHAT’S NOT MFA?
THE RISE OF TWO FACTOR AUTHENTICATION

9. 9
 A way to resolve inherent issues with
passwords
 Adds an additional, out-of-band
authentication that comes through
security dongles or the user’s phone
 Ostensibly, this provides additional
assurance that the user’s account
hasn’t been compromised or is subject
to a man-in-the-middle attack
AUTHENTICATING WITH TWO FACTORS
B E T T E R T H A N O N E , B U T S T I L L … .

10. 10
 If the 2nd factor is delivered through
SS7 protocol it’s susceptible to intercept
 SMS messaging as a way to transfer 2-
factor messages has been removed
from NIST security guidance (see 800-63-3)
 Weaknesses have been uncovered in
almost every form of 2FA, though push
notification to a mobile app seems
most secure
AUTHENTICATING WITH TWO FACTORS
B E T T E R T H A N O N E , B U T S T I L L … .

11. 11
MULTI-METHOD DOESN’T MEAN MULTI -FACTOR
Something you
KNOW

12. WHAT’S TRUE MFA?
NOT JUST MULTIPLE FACTORS, BUT HOW THEY’RE
USED

13. 13
IT’S ALL ABOUT THE USER’S DEVICE
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 1 ACCESS

14. 14
RISK INSIGHT FROM THE USER’S DEVICE
+1000
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 1 ACCESS
+10
SCORE
LOW RISK
=
Frictionless
Consumer
Experience
+10SCORE

15. 15
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 2 ACCESS
+10
SCORE
MEDIUM
RISK=
Moderate
Friction
USERNAME
&
PASSWORD
0SCORE
+200

16. 16
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 3 ACCESS
+10
SCORE
HIGH RISK=
PIN +
Biometric
Factors
-10SCORE
0

17. 17
CLEARKEY
A N E N G I N E F O R C O N T E X T A N D R I S K
DEVICE ID
GEO LOCATION
DEVICE INTEGRITY
ADDITIONAL
DEVICE CONTEXT
ASSOCIATIONS &
REPUTATION
USER 3 ACCESS
+10
SCORE
HIGH RISK=
Step-Up
Authentication
-10SCORE
Watch Lists
-1000
Watch ListsWatch ListsWatch Lists
Call
Customer
Service

18. 18
MOBILE MULTIFACTOR AUTHENTICATION
S T R O N G A N D F L E X I B L E A U T H E N T I C A T I O N
Identity
verified
+ +

19. WHO ASKS FOR MFA?
WHAT REGULATIONS AND STANDARDS ARE IN PLAY?

20. 20
13 January 2018
 PSD2 goes into effect for member states
November-December 2018
 The RTS (Regulatory Technical Standards) enter into force
 Exceptions are managed
 Systems are auditable
SIMPLE DEADLINES

21. 21
TWO THINGS TO NOTE
 This is about
“out-of-band”
authentication
 Basically, use
two different
channels and
two different
methods to
authenticate
and authorize

22. 22
TWO THINGS TO NOTE
Smith Fashions
wants to have
€250. Is this
OK?
What for?
Looks like you
ordered a new
coat at
breakfast.
That’s right.
Go ahead.

23. 23
SCA REQUIRES AUTHORIZATION
D I F F E R E N T F R O M A U T H E N T I C A T I O N
• Identity assurance
• Are you really you?
• How have you proven you
are you?
AUTHENTICATION
• OK, you’re you!
• But are you authorized to do
what you’re asking to do?
• Do you approve this?
AUTHORIZATION

24. 24
First-Party
Authorization
Multi-Party
Authorization
O
R
A U T H O R I Z E I N D I V I D U A L O R G R O U P T R A N S A C T I O N S

25. 25
WHO ELSE ASKS FOR BETTER
AUTHENTICATION?
Meet the user
experience team, aka:
• Digital experience
• Digital transformation
• Customer experience
• Millennials who know
what “good” user
experience looks like,
feels like, and measures
Poor or complex
authentication is the
Number One
complaint of users
across all verticals:
• Finance
• E-Commerce
• Social
• Insurance

26. WHAT NOW?
WORKING WITH CROSS-FUNCTIONAL TEAMS

27. 27FRAUD TEAM IAM & INFOSEC TEAM USER EXPERIENCE TEAM
ENGAGE YOUR CROSS -FUNCTIONAL TEAMS

28. 28
ENGAGE YOUR CROSS -FUNCTIONAL TEAMS
 The Fraud Team has
irreplaceable insight but
is often seen as tactical
 The fraud team also has
something most teams
don’t: actual cost metrics
 Create an alliance!
 Learn the language of
infosec experts
FRAUD TEAM
 Nobody wants to be the
“Director of No”
 Look to your left and right
and reach out
 Become customer-centric
 Consider ideas outside of
the infosec sphere
 Understand what Fraud is
IAM & INFOSEC TEAM
 Be a Change Agent – all
the power is in your
hands
 Teach the other teams
your language and your
metrics
 Enlist aid, ask for help
 Be the expert, but get
everyone else to care
about the user journey
USER EXPERIENCE TEAM

29. 29

30. 30

31. 31
iovation.com/dummie
s
Go to
to register for your free copy

32. 32
IOVATION’S FRAUD FORCE
R E G I S T R A T I O N I S O P E N
LONDON CHICAGO
JUNE 4-6-2018 OCT 17-18OCTOBER 2-4, 2018

33. CONTACT US
@TheOtherMichael
SENIOR DIRECTOR OF PRODUCT MARKETING
MICHAEL
THELANDER
michael.thelander@iovation.com
www.iovation.com